Federal Network Security Breaches Jump 650% in Five Years

The latest Government Accountability Office report underscored how poorly equipped federal departments and agencies are to prevent network security breaches.

Security
incidents at federal agencies have soared 650 percent over the past five years,
according to a report from the Government Accountability Office.
In
the past five years, the number of reported events has grown from 5,503 in 2006
to 41,776 in 2010, federal auditors wrote in a Government Accountability Office
report released Oct. 3. The GAO compiled the report based on information
from security-related reports and data from 24 federal agencies and departments
that were collected between September 2010 and October 2011.

Nearly
30 percent of incidents involved malware infections, making it the most
prevalent cyber-event, the report found. Other common issues included
violations of acceptable use policies and intrusions into networks,
applications and other data resources.

"Of
the 24 major agencies, none had fully or effectively implemented an agency-wide
information security program," Gregory C. Wilshusen, GAO director for
information security issues, wrote in the report.
Agencies
are vulnerable to cyber-attack and other security issues because they have
failed to implement proper security controls, GAO auditors wrote. Agencies do
not always adequately train system security personnel, regularly monitor
safeguards, fix vulnerabilities or resolve incidents in a timely manner when
they do occur, according to the report. These problems leave the departments
vulnerable to both external and internal threats, Wilshusen said.
"As
long as agencies have not fully and effectively implemented their information
security programs, including addressing the hundreds of recommendations that we
and inspectors general have made, federal systems will remain at increased risk
of attack or compromise," wrote Wilshusen.
The
audit found that the Internal Revenue Service does not block employees from
accessing databases not required for their jobs. As a result, financial and
taxpayer information "remain unnecessarily vulnerable" to insider
threats. The fact that any employee has access to the systems means there is an
increased risk of "unauthorized disclosure, modification or
destruction," the report said.
Another
incident involved a network user who clicked on a malicious link in an email.
The employee was told he'd won a new car in a lottery he'd supposedly entered
when he answered some questions on a survey about his pets. The employee
discovered later that several credit cards had been opened in his name and
large amounts of pet supplies ordered without his knowledge, according to the report.
The
GAO periodically updates Congress on how well federal departments are complying
with the 2002 Federal Information Security Act. FISMA is supposed to help
federal departments and agencies define security policies, conduct security
awareness training and implement proper surveillance of computer safeguards.
Under the law, passed in 2002, every agency in the federal government has to
have information security programs and plans for managing risks in place.
This
is not the first time in recent months the GAO has called out departments on
lax information security. In an August report, the GAO issued an audit report
of the Federal Deposit
Insurance Corporation that showed the FDIC did not use strong passwords,
review user access and failed to encrypt sensitive financial information. The
August GAO report found weaknesses in FDIC controls that are supposed to manage
system configurations, deploy patches and segregate certain network activities.